> For the complete documentation index, see [llms.txt](https://faresbltagy.gitbook.io/footprintinglabs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-medium.md). # Lab - Medium ## Let us commence 🚀 ## Lab - Medium First, we'll begin with reconnaissance to identify open ports.

After conducting the nmap scan, we've discovered several open ports. Let's now proceed to examine and engage with each one. Port 2049 is accessible; let's explore the NFS server to discover potential opportunities. **NFS** is a system designed for **client/server** that enables users to seamlessly access files over a network as though these files were located within a local directory.

Here, I attempted to enumerate available shares using "showmount" and discovered the directory named "TechSupport". Let's explore its contents.

I discovered several tickets, most of which were empty except for one. Let's examine its contents."

I discovered an email containing credentials for a user named 'Alex' along with the corresponding Operator. Let's attempt to establish a connection via the RDP server to explore further possibilities.

I have gained access to the target via RDP using Remmina. Feel free to utilize any tool of your preference. Let's explore the possibilities.

I conducted enumeration on the target and discovered a file titled "important.txt" within a directory labeled "devshare," yielding credentials for a user named "sa". Upon gaining access to the target through RDP, I found a Microsoft SQL Server. Let's attempt to access it using the credentials we've obtained.

When attempting to access the Microsoft SQL Server with the provided credentials, an error occurred, preventing successful login. Let's now attempt to access the Microsoft SQL Server with administrative privileges.

I initiated the Microsoft SQL Server application by right-clicking and selecting 'Run as Administrator.' Upon entering the password and confirming with 'Yes,' the application successfully launched, allowing me to establish a connection.

Let's proceed to generate a new query to retrieve the password for the user "HTB."

SELECT * FROM accounts.dbo.devsacc where name = 'HTB'

We have successfully obtained the password for the user 'HTB' and completed the lab. Thank you for taking the time to read this write-up --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-medium.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.